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About the Documentation 


Documentation and Release Notes on page vii 
Supported Platforms on page vii 
Documentation Conventions on page vii 
Documentation Feedback on page ix 


Requesting Technical Support on page x 


Documentation and Release Notes 


To obtain the most current version of all Juniper Networks® technical documentation, 
see the product documentation page on the Juniper Networks website at 
http://www.juniper.net/techpubs/. 


If the information in the latest release notes differs from the information in the 
documentation, follow the product Release Notes. 


Juniper Networks Books publishes books by Juniper Networks engineers and subject 
matter experts. These books go beyond the technical documentation to explore the 
nuances of network architecture, deployment, and administration. The current list can 
be viewed at http://www.juniper.net/books. 


Supported Platforms 


For the features described in this document, the following platforms are supported: 


SRX Series 


Documentation Conventions 


Table 1 on page viii defines notice icons used in this guide. 
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Table 1: Notice Icons 


Meaning 


DY=t-{etg| eo) (0) 8) 


a 
=) 


Informational note 


Indicates important features or instructions. 





Caution 


Indicates a situation that might result in loss of data or hardware damage. 





Warning 


> © 


Alerts you to the risk of personal injury or death. 





Laser warning 


Alerts you to the risk of personal injury from a laser. 





Tip 


© > 


Indicates helpful information. 





Best practice 


we 


Alerts you to a recommended use or implementation. 





Table 2 on page viii defines the text and syntax conventions used in this guide. 


Table 2: Text and Syntax Conventions 


(@fo)a\V(=1aia(e)a) 


Bold text like this 


Description 


Represents text that you type. 


=><o1 an] 0) (=159 


To enter configuration mode, type the 
configure command: 


user@host> configure 





Fixed-width text like this 


Represents output that appears on the 
terminal screen. 


user@host> show chassis alarms 


No alarms currently active 











Italic text like this e Introduces or emphasizes important e Apolicy term is anamed structure 
new terms. that defines match conditions and 
« Identifies guide names. actions. 
+ Identifies RFC and Internet draft titles. * /U70S OS CLI User Guide 
e« RFC1997, BGP Communities Attribute 
Italic text like this Represents variables (options for which Configure the machine’s domain name: 
you substitute a value) in commands or 
configuration statements. [edit] 
root@# set system domain-name 
domain-name 
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Table 2: Text and Syntax Conventions (continued) 


(@fo)a\V(=1aia(e)a) 


Text like this 


Description =><o1 an] 0) (=I) 

Represents names of configuration « Toconfigure a stub area, include the 
statements, commands, files, and stub statement at the [edit protocols 
directories; configuration hierarchy levels; ospf area area-id] hierarchy level. 

or labels on routing platform * Theconsole port is labeled CONSOLE. 
components. 





< > (angle brackets) 


Encloses optional keywords or variables. stub <default-metric metric>; 





| (pipe symbol) 


Indicates a choice between the mutually broadcast | multicast 
exclusive keywords or variables on either 

side of the symbol. The set of choicesis  (string1| string2 | string3) 
often enclosed in parentheses for clarity. 





# (pound sign) 


Indicates a comment specified on the rsvp { # Required for dynamic MPLS only 
same line as the configuration statement 
to which it applies. 











[ ] (square brackets) Encloses a variable for which you can community name members [ 
substitute one or more values. community-ids ] 
Indention and braces ( { } ) Identifies a level in the configuration [edit] 
hierarchy. routing-options { 
static { 
; (semicolon) Identifies a leaf statement at a route default { 
configuration hierarchy level. nexthop address; 
retain; 
} 
} 


GUI Conventions 


Bold text like this 


} 


Represents graphical user interface (GUI) + Inthe Logical Interfaces box, select 
items you click or select. All Interfaces. 


e Tocancel the configuration, click 
Cancel. 





> (bold right angle bracket) 


Separates levels in a hierarchy of menu In the configuration editor hierarchy, 
selections. select Protocols>Ospf. 





Documentation Feedback 


We encourage you to provide feedback, comments, and suggestions so that we can 
improve the documentation. You can provide feedback by using either of the following 
methods: 


+ Online feedback rating system—On any page of the Juniper Networks TechLibrary site 
at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content, 
and use the pop-up form to provide us with information about your experience. 
Alternately, you can use the online feedback form at 
http://www.juniper.net/techpubs/feedback/. 
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« E-mail—Send your comments to techpubs-comments@juniper.net. Include the document 
or topic name, URL or page number, and software version (if applicable). 


Requesting Technical Support 


Technical product support is available through the Juniper Networks Technical Assistance 
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service 
support contract, or are covered under warranty, and need post-sales technical support, 
you can access our tools and resources online or open a case with JTAC. 


« JTAC policies—For a complete understanding of our JTAC procedures and policies, 
review the JTAC User Guide located at 
http://www. juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf. 


¢ Product warranties—For product warranty information, visit 
http://www. juniper.net/support/warranty/. 


« JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 
7 days a week, 365 days a year. 


Self-Help Online Tools and Resources 


For quick and easy problem resolution, Juniper Networks has designed an online 
self-service portal called the Customer Support Center (CSC) that provides you with the 
following features: 


- Find CSC offerings: http://www.juniper.net/customers/support/ 

« Search for known bugs: http://www2.juniper.net/kb/ 

¢ Find product documentation: http://www.juniper.net/techpubs/ 

- Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/ 


« Download the latest versions of software and review release notes: 
http://www.juniper.net/customers/csc/software/ 


¢ Search technical bulletins for relevant hardware and software notifications: 
http://kb.juniper.net/InfoCenter/ 


¢ Join and participate in the Juniper Networks Community Forum: 
http://www.juniper.net/company/communities/ 


« Open acase online in the CSC Case Management tool: http://www.juniper.net/cm/ 


To verify service entitlement by product serial number, use our Serial Number Entitlement 
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/ 


Opening a Case with JTAC 
You can open a case with JTAC on the Web or by telephone. 


- Use the Case Management tool in the CSC at http://www.juniper.net/cm/. 


¢ Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico). 
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For international or direct-dial options in countries without toll-free numbers, see 
http://www.juniper.net/support/requesting-support.html. 
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CHAPTER 1 


Junos OS in FIPS-Approved Mode of 
Operation for SRX Series Security Devices 


« Understanding Junos OS in FIPS-Approved Mode of Operation on page 13 
- Identifying Secure Delivery on page 15 


« Understanding FIPS-Approved Mode of Operation Terminology and Supported 
Cryptographic Algorithms on page 16 


« Understanding Zeroization to Clear System Data for FIPS-Approved Mode of 
Operation on page 19 


« Understanding FIPS Self-Tests on page 21 
« Applying Tamper-Evident Seals to the Cryptographic Module on page 25 


Understanding Junos OS in FIPS-Approved Mode of Operation 


Federal Information Processing Standards (FIPS) 140-2 defines security levels for 
hardware and software that perform cryptographic functions. Junos-FIPS is a version of 
the Junos operating system (Junos OS) that complies with Federal Information Processing 
Standard (FIPS) 140-2. 


Operating SRX Series devices in a FIPS 140-2 Level 2 environment requires enabling and 
configuring FIPS-approved mode of operation on the device from the Junos OS 
command-line interface (CLI). 


The Cryptographic Officer enables FIPS-approved mode of operation in Junos OS Release 
12.3X48-D30 and sets up keys and passwords for the system and other FIPS users who 
can view the configuration. Both user types can also perform normal configuration tasks 
on the device (such as modify interface types) as individual user configuration allows. 


Oo BEST PRACTICE: Be sure to verify the secure delivery of your device and apply 
tamper-evident seals to its vulnerable ports. 


« About the Cryptographic Boundary on Your Device on page 14 


« How FIPS-Approved Mode of Operation Differs from Non-FIPS-Approved Mode of 
Operation on page 14 


« How Junos OS in FIPS-Approved Mode of Operation Differs from Junos-FIPS on page 15 
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e Validated Version of Junos OS in FIPS-Approved Mode of Operation on page 15 


« How to Use FIPS Documentation on page 15 


About the Cryptographic Boundary on Your Device 


FIPS 140-2 compliance requires a defined cryptographic boundary around each 
cryptographic module on a device. Junos OS in FIPS-approved mode of operation prevents 
the cryptographic module from running any software that is not part of the FIPS-certified 
distribution, and allows only FIPS-approved cryptographic algorithms to be used. No 
critical security parameters (CSPs), such as passwords and keys, can cross the 
cryptographic boundary of the module by, for example, being displayed on a console or 
written to an external log file. 


A CAUTION: Virtual Chassis features are not supported in FIPS-approved mode 
of operation—they have not been tested by Juniper Networks. Do not configure 
a Virtual Chassis in FIPS-approved mode of operation. 


To physically secure the cryptographic module, all Juniper Networks devices require a 
tamper-evident seal on the USB and mini-USB ports. 


How FIPS-Approved Mode of Operation Differs from Non-FIPS-Approved Mode of Operation 


Unlike Junos OS in non-FIPS-approved mode of operation, Junos OS in FIPS-approved 
mode of operation is anonmodifiable operational environment. In addition, Junos OS in 
FIPS-approved mode of operation differs in the following ways from Junos OS in 
non-FIPS-approved mode of operation: 


¢ Self-tests of all cryptographic algorithms are performed at startup. 
- Self-tests of random number and key generation are performed continuously. 


« Weak cryptographic algorithms such as Data Encryption Standard (DES) and MD5 are 
disabled. 


« Weak or unencrypted management connections must not be configured. 


- Passwords must be encrypted with strong one-way algorithms that do not permit 
decryption. 


« Junos-FIPS administrator passwords must be at least 10 characters long. 
« Cryptographic keys must be encrypted before transmission. 


¢ The high availability link must be encrypted for SRX Series high-end devices and is 
disabled for SRX Series branch devices. 


@ NOTE: Inall other ways, Junos-FIPS behaves identically to the standard 
Junos OS image. 


The FIPS 140-2 standard is available for download from the National Institute of Standards 
and Technology (NIST) at http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf. 
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How Junos OS in FIPS-Approved Mode of Operation Differs from Junos-FIPS 


Junos OS in FIPS-approved mode of operation is an operating environment of Junos OS 
that you enable from the Junos OS command-line interface (CLI). In contrast, the 
Junos-FIPS image is a separately downloadable Junos OS image available for SRX Series 
Services Gateways. 


Validated Version of Junos OS in FIPS-Approved Mode of Operation 


Juniper Networks submits one Junos OS release per year—Junos OS Release 12.3X48-D30, 
for example—to the National Institute of Standards and Technology (NIST) for validation. 
To determine whether a Junos OS release is NIST-validated, see the software download 
page on the Juniper Networks Web site (http://www.juniper.net/) or the National Institute 
of Standards and Technology site at http://csrc.nist.gov/cryptval/140-1/140lval.htm. 


How to Use FIPS Documentation 


Related 
Documentation 


For configuration and operational tasks that are specific to FIPS-approved mode of 
operation on SRX Series devices, be sure to use the documentation for Junos OS in 
FIPS-approved mode of operation. Do not use the documentation for Junos in 
FIPS-approved mode of operation statements and commands because the syntax and 
options might not apply to FIPS-approved mode of operation. 


e Identifying Secure Delivery on page 15 


« Applying Tamper-Evident Seals to the Cryptographic Module on page 25 


Identifying Secure Delivery 


There are several mechanisms provided in the delivery process to ensure that a customer 
receives a product that has not been tampered with. The customer should perform the 
following checks upon receipt of an appliance to verify the integrity of the platform: 


¢ Shipping label—Ensure that the shipping label correctly identifies the correct customer 
name and address as well as the device. 


- Outside packaging—Inspect the outside shipping box and tape. Ensure that the shipping 
tape has not been cut or otherwise compromised. Ensure that the box has not been 
cut or damaged to allow access to the device. 


- Inside packaging—Inspect the plastic bag and seal. Ensure that the bag is not cut or 
removed. Ensure that the seal remains intact. 


If the customer identifies a problem during the inspection, he or she should immediately 
contact the supplier. Provide the order number, tracking number, and a description of 
the identified problem to the supplier. 
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Related 
Documentation 


Additionally, there are several checks that can be performed to ensure that the customer 
has received a box sent by Juniper Networks and not a different company masquerading 
as Juniper Networks. The customer should perform the following checks upon receipt of 
a device to verify the authenticity of the device: 


- Verify that the device was ordered using a purchase order. Juniper Networks devices 
are never shipped without a purchase order. 


« When adevice is shipped, a shipment notification is sent to the e-mail address provided 
by the customer when the order is taken. Verify that this e-mail notification was received. 
Verify that the e-mail contains the following information: 


« Purchase order number 

e Juniper Networks order number used to track the shipment 
e Carrier tracking number used to track the shipment 

- List of items shipped including serial numbers 


« Address and contacts of both the supplier and the customer 


- Verify that the shipment was initiated by Juniper Networks. To verify that a shipment 
was initiated by Juniper Networks, perform the following tasks: 


e Compare the carrier tracking number of the Juniper Networks order number listed in 
the Juniper Networks shipping notification with the tracking number on the package 
received. 


« Login to the Juniper Networks online customer support portal at 
https://www.juniper.net/customers/csc/management to view the order status. 
Compare the carrier tracking number or the Juniper Networks order number listed in 
the Juniper Networks shipment notification with the tracking number on the package 
received. 


e« Understanding Junos OS in FIPS Approved Mode of Operation on page 13 


Understanding FIPS-Approved Mode of Operation Terminology and Supported 
Cryptographic Algorithms 


FIPS Terminology 


Use the definitions of FIPS terms and supported algorithms to help you understand Junos 
OS in FIPS-approved mode of operation. 

« FIPS Terminology on page 16 

« Supported Cryptographic Algorithms on page 18 


Critical security parameter (CSP)—Security-related information—for example, secret and 
private cryptographic keys and authentication data such as passwords and personal 
identification numbers (PINs)—whose disclosure or modification can compromise 
the security of a cryptographic module or the information it protects. 
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Cryptographic module—The set of hardware, software, and firmware that implements 
approved security functions (including cryptographic algorithms and key generation) 
and is contained within the cryptographic boundary. SRX Series devices are certified 
at FIPS 140-2 Level 1. 


Cryptographic Officer—Person with appropriate permissions who is responsible for securely 
enabling, configuring, monitoring, and maintaining Junos OS in FIPS-approved mode 
of operation on a device. For details, see “Understanding Roles and Services for JUnos 
OS in FIPS Approved Mode of Operation” on page 31. 


ESP—Encapsulating Security Payload (ESP) protocol. The part of the IPsec protocol that 
guarantees the confidentiality of packets through encryption. The protocol ensures 
that if an ESP packet is successfully decrypted, and no other party knows the secret 
key the peers share, the packet was not wiretapped in transit. 


FIPS—Federal Information Processing Standards. FIPS 140-2 specifies requirements for 
security and cryptographic modules. Junos OS in FIPS-approved mode of operation 
complies with FIPS 140-2 Level 1. 


IKE—The Internet Key Exchange (IKE) is part of IPsec and provides ways to securely 
negotiate the shared private keys that the authentication header (AH) and ESP 
portions of IPsec need to function properly. IKE employs Diffie-Hellman key-exchange 
methods and is optional in IPsec. (The shared keys can be entered manually at the 
endpoints.) 


IPsec—The IP Security (IPsec) protocol. A standard way to add security to Internet 
communications. An IPsec security association (SA) establishes secure 
communication with another FIPS cryptographic module by means of mutual 
authentication and encryption. 


KATs—Known answer tests. System self-tests that validate the output of cryptographic 
algorithms approved for FIPS and test the integrity of some Junos OS modules. For 
details, see “Understanding FIPS Self-Tests” on page 21. 


SA—Security association (SA). A connection between hosts that allows them to 
communicate securely by defining, for example, how they exchange private keys. As 
Cryptographic Officer, you must manually configure an internal SA on devices running 
Junos OS in FIPS-approved mode of operation. All values, including the keys, must 
be statically specified in the configuration. 


SPIl—Security parameter index (SPI). A numeric identifier Used with the destination 
address and security protocol in IPsec to identify an SA. Because you manually 
configure the SA for Junos OS in FIPS-approved mode of operation, the SPI must be 
entered as a parameter rather than derived randomly. 


SSH—A protocol that uses strong authentication and encryption for remote access across 
a nonsecure network. SSH provides remote login, remote program execution, file 
copy, and other functions. It is intended as a secure replacement for rlogin, rsh, and 
rcp ina UNIX environment. To secure the information sent over administrative 
connections, Use SSHv2 for CLI configuration. In Junos OS, SSHv2 is enabled by 
default, and SSHv1, which is not considered secure, is disabled. 
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Zeroization—Erasure of all CSPs and other user-created data on a device before its 
operation as a FIPS cryptographic module—or in preparation for repurposing the 
device for non-FIPS operation. The Cryptographic Officer can zeroize the system 
with a CLI operational command. For details, see “Understanding Zeroization to 
Clear System Data for FIPS Approved Mode of Operation” on page 19. 


Supported Cryptographic Algorithms 


Each implementation of an algorithm is checked by a series of known answer test (KAT) 
self-tests. Any self-test failure results in a FIPS error state. 


QO BEST PRACTICE: For FIPS 140-2 compliance, use only FIPS-approved 
cryptographic algorithms in Junos OS in FIPS-approved mode of operation. 


The following cryptographic algorithms are supported in FIPS-approved mode of 
operation. Symmetric methods use the same key for encryption and decryption, while 
asymmetric methods (preferred) use different keys for encryption and decryption. 


AES—The Advanced Encryption Standard (AES), defined in FIPS PUB 197. The AES 
algorithm uses keys of 128, 192, or 256 bits to encrypt and decrypt data in blocks of 
128 bits. 


Diffie-Hellman—A method of key exchange across anonsecure environment (suchas the 
Internet). The Diffie-Hellman algorithm negotiates a session key without sending 
the key itself across the network by allowing each party to pick a partial key 
independently and send part of that key to the other. Each side then calculates a 
common key value. This is a symmetrical method, and keys are typically used only 
for ashort time, discarded, and regenerated. 


ECDH—Elliptic Curve Diffie-Hellman. A variant of the Diffie-Hellman key exchange 
algorithm that uses cryptography based on the algebraic structure of elliptic curves 
over finite fields. ECDH allows two parties, each having an elliptic curve public-private 
key pair, to establish a shared secret over an insecure channel. The shared secret 
can be used either as a key or to derive another key for encrypting subsequent 
communications using a symmetric key cipher. 


ECDSA—Elliptic Curve Digital Signature Algorithm. A variant of the Digital Signature 
Algorithm (DSA) that uses cryptography based on the algebraic structure of elliptic 
curves over finite fields. The bit size of the elliptic curve determines the difficulty of 
decrypting the key. The public key believed to be needed for ECDSA is about twice 
the size of the security level, in bits. ECDSA using the P-256 curve can be configured 
under OpenSSH. 


HMAC—Defined as “Keyed-Hashing for Message Authentication” in RFC 2104, HVAC 
combines hashing algorithms with cryptographic keys for message authentication. 
For Junos OS in FIPS-approved mode of operation, HMAC uses the iterated 
cryptographic hash function SHA-] (designated as HMAC-SHA1) along with a secret 
key. 
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RSA—Algorithm for public key cryptography that is based on the presumed difficulty of 
factoring large integers of up to 2048 bits. The RSA algorithm involves three steps: 
key generation, encryption, and decryption. SSHv2 requires the asymmetric algorithm 
RSA-2048 with 2,048 bits (617 decimal digits), the largest of the RSA integers. The 
RSA algorithm is used in the validation of Juniper Networks signed binaries and is 
also available and used with the ssh command. 


SHA-1—A Secure Hash Algorithm (SHA) standard defined in FIPS PUB 180-1 (SHA-1). 
Developed by NIST, SHA-1 produces a 160-bit hash for message authentication. 


3DES (3des-cbc)—Encryption standard based on the original Data Encryption Standard 
(DES) from the 1970s that Used a 56-bit key and was cracked in 1997. The more 
secure 3DES is DES enhanced with three multiple stages and effective key lengths 
of about 112 bits. For Junos OS in FIPS-approved mode of operation, 3DES is 
implemented with cipher block chaining (CBC). 


Related «- Understanding Zeroization to Clear System Data for FIPS Approved Mode of Operation 
Documentation on page 19 


« Understanding FIPS Self-Tests on page 21 


Understanding Zeroization to Clear System Data for FIPS-Approved Mode of Operation 


Zeroization completely erases all configuration information on the device, including all 
plaintext passwords, secrets, and private keys for SSH, local encryption, local 
authentication, and IPsec. 


The cryptographic module provides a non-approved mode of operation in which 

non-approved cryptographic algorithms are supported. When moving from the 

non-approved mode of operation to the approved mode of operation, the Cryptographic 

Officer must run the following commands to zeroize the approved mode critical security 

parameters (CSPs): 

user@host> start shell 

user@Ghost% rm -P <key file> 

<key file> each persistent private or secret key other than the SSH host keys and 
the X.509 keys for IKE. 


user@host% exit 
user@host> request system zeroize 


The Cryptographic Officer initiates the zeroization process by entering the request system 
zeroize operational command from the CLI after enabling FIPS-approved mode of 
operation. Use of this command is restricted to the Cryptographic Officer. (To zeroize 
the system before enabling FIPS-approved mode of operation, Use the request system 
zeroize media command.) 


A CAUTION: Perform system zeroization with care. After the zeroization process 
is complete, no data is left on the device. The device is returned to the 
factory-default state, without any configured users or configuration files. 
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Why Zeroize? 


When to Zeroize? 


Related 
Documentation 
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Zeroization can be time-consuming. Although all configurations are removed in a few 
seconds, the zeroization process goes on to overwrite all media, which can take 
considerable time depending on the size of the media. 

« Why Zeroize? on page 20 


« When to Zeroize? on page 20 


Your device is not considered a valid FIPS cryptographic module until all CSPs have been 
entered—or reentered—while the device is in FIPS-approved mode of operation. 





QO BEST PRACTICE: For FIPS 140-2 compliance, we recommend that you zeroize 
the device to remove sensitive information. 


As a Cryptographic Officer, perform zeroization in the following situations: 


- Before FIPS operation—To prepare your device for operation as a FIPS cryptographic 
module, perform zeroization after enabling FIPS-approved mode of operation and 
before FIPS operation. 


- Before non-FIPS operation—To begin repurposing your device for non-FIPS operation, 
perform zeroization before disabling FIPS-approved mode of operation on the device 
or loading Junos OS packages that do not include FIPS-approved mode of operation. 


@ NOTE: Juniper Networks does not support installing non-FIPS software in 
a FIPS-approved mode of operation, but doing so might be necessary in 
certain test environments. Be sure to zeroize the system first. 


- When a tamper-evident seal is disturbed—If the seal on an insecure port has been 
tampered with, the system is considered to be compromised. After applying new 
tamper-evident seals to the appropriate locations, zeroize the system and set up new 
passwords and CSPs. 


« Applying Tamper-Evident Seals to the Cryptographic Module on page 25 
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Understanding FIPS Self-Tests 


The cryptographic module enforces security rules to ensure that a device running the 
Juniper Networks Junos operating system (Junos OS) in FIPS-approved mode of operation 
meets the security requirements of FIPS 140-2 Level 1. To validate the output of 
cryptographic algorithms approved for FIPS and test the integrity of some system 
modules, the device performs the following series of known answer test (KAT) self-tests: 


« kernel_kats—KAT for kernel cryptographic routines 

« md_kats—KAT for libmd and libc 

* openssl_kats—KAT for OpenSSL cryptographic implementation 

¢ quicksec_kats—KAT for QuickSec Toolkit cryptographic implementation 

- ssh_ipsec_kats—KAT for SSH IPsec Toolkit cryptographic implementation 

¢ jsf_crypto_spu_xlr_kats—KAT for JSF Crypto SPU XLR (SRX5000 line of devices only) 
« jsf_crypto_octeon_kats—KAT for JSF Crypto Octeon (branch SRX Series devices only) 
* octcrypto_kats—KAT for Octeon (branch SRX Series devices only) 

The KAT self-tests are performed automatically at startup and reboot, regardless of 
whether FIPS-approved mode of operation is enabled on the device. Conditional self-tests 


are also performed automatically to verify digitally signed software packages, generated 
random numbers, RSA and DSA key pairs, and manually entered keys. 


If the KATs are completed successfully, the system log (syslog) file is updated to display 
the tests that were executed. 


If the device fails a KAT, the device writes the details to a system log file, enters FIPS 
error state (panic), and reboots. 


The file show /var/log/messages command displays the system log. 


Performing Power-On Self-Tests on the Device 


Each time the cryptographic module is powered on, the module tests that the 
cryptographic algorithms still operate correctly and that sensitive data has not been 
damaged. Power-on self-tests are performed on demand by power cycling the module. 


On powering on or resetting the device, the module performs the following self-tests. All 
KATs must be completed successfully prior to any other use of cryptography by the 
module. If one of the KATs fail, the module enters the Critical Failure error state. 


The module displays the following status output for high-end SRX Series devices while 
running the power-on self-tests: 


FIPS Software Integrity tests... 
Verified junos signed by PackageProductionEc_2016 method ECDSA 
Verified jboot signed by PackageProductionEc_2016 method ECDSA 
Verified junos-12.3X48-D30.10-fips signed by PackageProductionEc_2016 method ECDSA 
Testing file integrity: 
File integrity Known Answer Test: Passed 
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FIPS Algorithm tests... 
Testing kernel KATS: 
DES3-CBC Known Answer Test: 
HMAC-SHA1 Known Answer Test: 
HMAC-SHA2-256 Known Answer Test: 
SHA-2 Known Answer Test: 
AES128-CMAC Known Answer Test: 
AES-CBC Known Answer Test: 
Testing libmd KATS: 
HMAC-SHA1 Known Answer Test: 
HMAC-SHA2-256 Known Answer Test: 
Testing OpenSSL KATS: 
FIPS RNG Known Answer Test: 


NIST 800-90 HMAC DRBG Known Answer Test: 


FIPS ECDSA Known Answer Test: 
FIPS ECDH Known Answer Test: 
FIPS RSA Known Answer Test: 
DES3-CBC Known Answer Test: 
HMAC-SHA1 Known Answer Test: 
HMAC-SHA2-256 Known Answer Test: 
HMAC-SHA2-384 Known Answer Test: 
HMAC-SHA2-512 Known Answer Test: 
SHA-2 Known Answer Test: 
AES-CBC Known Answer Test: 
ECDSA-SIGN Known Answer Test: 
KDF-IKE-V1 Known Answer Test: 
KDF-SSH Known Answer Test: 
Testing QuickSec KATS: 


NIST 800-90 HMAC DRBG Known Answer Test: 


DES3-CBC Known Answer Test: 
HMAC-SHA1 Known Answer Test: 
HMAC-SHA2-224 Known Answer Test: 
HMAC-SHA2-256 Known Answer Test: 
HMAC-SHA2-384 Known Answer Test: 
HMAC-SHA2-512 Known Answer Test: 
AES-CBC Known Answer Test: 
AES-GCM Known Answer Test: 
SSH-RSA-ENC Known Answer Test: 
SSH-RSA-SIGN Known Answer Test: 
KDF-IKE-V1 Known Answer Test: 
KDF-IKE-V2 Known Answer Test: 
Testing SSH IPsec KATS: 


NIST 800-90 HMAC DRBG Known Answer Test: 


DES3-CBC Known Answer Test: 

HMAC-SHA1 Known Answer Test: 

HMAC-SHA2-256 Known Answer Test: 

SHA-2 Known Answer Test: 

AES-CBC Known Answer Test: 

SSH-RSA-ENC Known Answer Test: 

SSH-RSA-SIGN Known Answer Test: 

KDF-IKE-V1 Known Answer Test: 
Testing crypto integrity: 

Crypto integrity Known Answer Test: 
FIPS Crivtical Function teests... 
expectring an exec erroir: 


Passed 
Passed 
Passed 
Passed 
Passed 
Passed 


Passed 
Passed 


Passed 
Passed 
Passed 
Passed 
Passed 
Passed 
Passed 
Passed 
Passed 
Passed 
Passed 
Passed 
Passed 
Passed 
Passed 


Passed 
Passed 
Passed 
Passed 
Passed 
Passed 
Passed 
Passed 
Passed 
Passed 
Passed 
Passed 
Passed 


Passed 
Passed 
Passed 
Passed 
Passed 
Passed 
Passed 
Passed 
Passed 


Passed 


exec: no fingerprint for file='/sbin/kats/cannot-exec' fsid=85 fileid=71884 uid=0 


pid=188 


/etc/rc.fips: /sbin/kats/cannot-exec: Authentication error 


FIPS self tests completed. 
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The module displays the following status output for branch SRX Series devices while 
running the power-on self-tests: 


FIPS Software Integrity tests... 
Verified junos signed by PackageProductionEc_2016 method ECDSA 
Verified jboot signed by PackageProductionEc_2016 method ECDSA 
Verified junos-12.3X48-D30.10-fips signed by PackageProductionEc_2016 method ECDSA 
Testing file integrity: 
File integrity Known Answer Test: Passed 
FIPS Algorithm tests... 
Testing JSF Crypto (Octeon) KATs: 


AES-CBC Known Answer Test: Passed 
AES-GCM Known Answer Test: Passed 
RSA-SIGN Known Answer Test: Passed 
ECDSA-SIGN Known Answer Test: Passed 
Testing kernel KATS: 
DES3-CBC Known Answer Test: Passed 
HMAC-SHA1 Known Answer Test: Passed 
HMAC-SHA2-256 Known Answer Test: Passed 
SHA-2 Known Answer Test: Passed 
AES128-CMAC Known Answer Test: Passed 
AES-CBC Known Answer Test: Passed 
Testing libmd KATS: 
HMAC-SHA1 Known Answer Test: Passed 
HMAC-SHA2-256 Known Answer Test: Passed 
Testing Octeon KATS: 
DES3-CBC Known Answer Test: Passed 
HMAC-SHA1 Known Answer Test: Passed 
HMAC-SHA2-256 Known Answer Test: Passed 
AES-CBC Known Answer Test: Passed 
Testing OpenSSL KATS: 
FIPS RNG Known Answer Test: Passed 
NIST 800-90 HMAC DRBG Known Answer Test: Passed 
FIPS ECDSA Known Answer Test: Passed 
FIPS ECDH Known Answer Test: Passed 
FIPS RSA Known Answer Test: Passed 
DES3-CBC Known Answer Test: Passed 
HMAC-SHA1 Known Answer Test: Passed 
HMAC-SHA2-256 Known Answer Test: Passed 
HMAC-SHA2-384 Known Answer Test: Passed 
HMAC-SHA2-512 Known Answer Test: Passed 
SHA-2 Known Answer Test: Passed 
AES-CBC Known Answer Test: Passed 
ECDSA-SIGN Known Answer Test: Passed 
KDF-IKE-V1 Known Answer Test: Passed 
KDF-SSH Known Answer Test: Passed 
Testing QuickSec KATS: 
NIST 800-90 HMAC DRBG Known Answer Test: Passed 
DES3-CBC Known Answer Test: Passed 
HMAC-SHA1 Known Answer Test: Passed 
HMAC-SHA2-224 Known Answer Test: Passed 
HMAC-SHA2-256 Known Answer Test: Passed 
HMAC-SHA2-384 Known Answer Test: Passed 
HMAC-SHA2-512 Known Answer Test: Passed 
AES-CBC Known Answer Test: Passed 
AES-GCM Known Answer Test: Passed 
SSH-RSA-ENC Known Answer Test: Passed 
SSH-RSA-SIGN Known Answer Test: Passed 
KDF-IKE-V1 Known Answer Test: Passed 
KDF-IKE-V2 Known Answer Test: Passed 
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Testing SSH IPsec KATS: 


NIST 800-90 HMAC DRBG Known Answer Test: Passed 
DES3-CBC Known Answer Test: Passed 
HMAC-SHA1 Known Answer Test: Passed 
HMAC-SHA2-256 Known Answer Test: Passed 
SHA-2 Known Answer Test: Passed 
AES-CBC Known Answer Test: Passed 
SSH-RSA-ENC Known Answer Test: Passed 
SSH-RSA-SIGN Known Answer Test: Passed 
KDF-IKE-V1 Known Answer Test: Passed 
Testing JSF Crypto (Octeon) KATs: 
AES-CBC Known Answer Test: Passed 
AES-GCM Known Answer Test: Passed 
RSA-SIGN Known Answer Test: Passed 
ECDSA-SIGN Known Answer Test: Passed 
Testing kernel KATS: 
DES3-CBC Known Answer Test: Passed 
HMAC-SHA1 Known Answer Test: Passed 
HMAC-SHA2-256 Known Answer Test: Passed 
SHA-2 Known Answer Test: Passed 
AES128-CMAC Known Answer Test: Passed 
AES-CBC Known Answer Test: Passed 
Testing libmd KATS: 
HMAC-SHA1 Known Answer Test: Passed 
HMAC-SHA2-256 Known Answer Test: Passed 
Testing Octeon KATS: 
DES3-CBC Known Answer Test: Passed 
HMAC-SHA1 Known Answer Test: Passed 
HMAC-SHA2-256 Known Answer Test: Passed 
AES-CBC Known Answer Test: Passed 
Testing OpenSSL KATS: 
FIPS RNG Known Answer Test: Passed 
NIST 800-90 HMAC DRBG Known Answer Test: Passed 
FIPS ECDSA Known Answer Test: Passed 
FIPS ECDH Known Answer Test: Passed 
FIPS RSA Known Answer Test: Passed 
DES3-CBC Known Answer Test: Passed 
HMAC-SHA1 Known Answer Test: Passed 
HMAC-SHA2-256 Known Answer Test: Passed 
HMAC-SHA2-384 Known Answer Test: Passed 
HMAC-SHA2-512 Known Answer Test: Passed 
SHA-2 Known Answer Test: Passed 
AES-CBC Known Answer Test: Passed 
ECDSA-SIGN Known Answer Test: Passed 
KDF-IKE-V1 Known Answer Test: Passed 
KDF-SSH Known Answer Test: Passed 
Testing QuickSec KATS: 
NIST 800-90 HMAC DRBG Known Answer Test: Passed 
DES3-CBC Known Answer Test: Passed 
HMAC-SHA1 Known Answer Test: Passed 
HMAC-SHA2-224 Known Answer Test: Passed 
HMAC-SHA2-256 Known Answer Test: Passed 
HMAC-SHA2-384 Known Answer Test: Passed 
HMAC-SHA2-512 Known Answer Test: Passed 
AES-CBC Known Answer Test: Passed 
AES-GCM Known Answer Test: Passed 
SSH-RSA-ENC Known Answer Test: Passed 
SSH-RSA-SIGN Known Answer Test: Passed 
KDF-IKE-V1 Known Answer Test: Passed 
KDF-IKE-V2 Known Answer Test: Passed 


Testing SSH IPsec KATS: 
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NIST 800-90 HMAC DRBG Known Answer Test: Passed 
DES3-CBC Known Answer Test: Passed 
HMAC-SHA1 Known Answer Test: Passed 
HMAC-SHA2-256 Known Answer Test: Passed 
SHA-2 Known Answer Test: Passed 
AES-CBC Known Answer Test: Passed 
SSH-RSA-ENC Known Answer Test: Passed 
SSH-RSA-SIGN Known Answer Test: Passed 
KDF-IKE-V1 Known Answer Test: Passed 
Testing crypto integrity: 
Crypto integrity Known Answer Test: Passed 


FIPS Critical Function tests... 

expecting an exec error: 

veriexec: no fingerprint for file='/sbin/kats/cannot-exec.real' fsid=74 
fileid=74064 uid=0 pid=305 

FIPS self tests completed. 


@ NOTE: The module implements cryptographic libraries and algorithms that 
are not utilized in the approved mode of operation. 





Related + HowtoEnable and Configure Junos OS in FIPS Approved Mode of Operation—Overview 
Documentation on page 43 


Applying Tamper-Evident Seals to the Cryptographic Module 


The cryptographic modules physical embodiment is that of a multi-chip standalone 
device that meets Level 2 physical security requirements. The module is completely 
enclosed in a rectangular nickel or clear zinc coated, cold rolled steel, plated steel, and 
brushed aluminum enclosure. There are no ventilation holes, gaps, slits, cracks, slots, or 
crevices that would allow for any sort of observation of any component contained within 
the cryptographic boundary. Tamper-evident seals allow the operator to verify if the 
enclosure has been breached. These seals are not factory-installed and must be applied 
by the Cryptographic Officer. 


@ NOTE: Seals are available for order from Juniper Networks using part number 
JNPR-FIPS-TAMPER-LBLS. 


As a Cryptographic Officer, you are responsible for: 


- Applying seals to secure the cryptographic module 
« Controlling any unused seals 


¢ Controlling and observing any changes, such as repairs or booting from an external 
USB drive to the cryptographic module, that require removing or replacing the seals 
to maintain the security of the module 
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As per the security inspection guidelines, upon receipt of the cryptographic module, the 
Cryptographic Officer must check that the labels are free of any tamper evidence. 


« General Tamper-Evident Seal Instructions on page 26 

« SRX100 and SRX110 Device Tamper-Evident Seal Application on page 26 
« SRX210 Device Tamper-Evident Seal Application on page 26 

« SRX220 Device Tamper-Evident Seal Application on page 26 

« SRX240 Device Tamper-Evident Seal Application on page 27 

« SRX550 Device Tamper-Evident Seal Application on page 27 

e SRX650 Device Tamper-Evident Seal Application on page 28 

« SRX5400 Device Tamper-Evident Seal Application on page 29 

« SRX5600 Device Tamper-Evident Seal Application on page 30 

« SRX5800 Device Tamper-Evident Seal Application on page 30 


General Tamper-Evident Seal Instructions 


All FIPS-certified switches require a tamper-evident seal on the USB ports. While applying 
seals, follow these general instructions: 


« Handle the seals with care. Do not touch the adhesive side. Do not cut or otherwise 
resize a seal to make it fit. 


« Make sure all surfaces to which the seals are applied are clean and dry and clear of 
any residue. 


« Apply the seals with firm pressure across the seal to ensure adhesion. Allow at least 
] hour for the adhesive to cure. 


The following sections describe the tamper-evident seal application method for all the 
SRX Series devices. 


SRX100 and SRX110 Device Tamper-Evident Seal Application 


On SRX100 and SRX110 devices, apply one tamper-evident seal on top of the chassis, 
covering one of the chassis screws. 


SRX210 Device Tamper-Evident Seal Application 
On SRX210 devices, apply three tamper-evident seals at the following locations: 


- The top of the chassis, covering one of the chassis screws. 


« The l/O slot - Two seals, horizontally across the right and left edges of the interface 
card or cover plate. 


SRX220 Device Tamper-Evident Seal Application 


On SRX220 device, apply five tamper-evident seals at the following locations: 
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- Front pane: 


- Apply one seal horizontally across the left edge of the leftmost installed interface card 
or cover plate. 


- Apply one seal horizontally across the right edge of the leftmost installed interface 
card or cover plate, and extending on to the edge of the rightmost installed interface 
card or cover plate. 


- Apply one seal vertically across both the rightmost installed interface card or cover 
plate and the CompactFlash card slot below it, extending on to the top and bottom 
of the chassis. 


- Apply one seal on the left and right sides of the module. Apply the seals starting from 
the top of the device and extending to the bottom of the chassis. 


SRX240 Device Tamper-Evident Seal Application 
On SRX240 devices, apply eight tamper-evident seals at the following locations: 


« Onthe front of the module, apply one seal vertically across each of the installed 
interface cards, or slot cover plates, extending on to the top and bottom of the chassis 
of the module. 


- Apply one seal on the left and right sides of the module, extending from the top of the 
chassis to the bottom. 


SRX550 Device Tamper-Evident Seal Application 


On SRX550 device, apply 19 tamper-evident seals at the following locations: 


- Front pane: 


« Apply four seals horizontally across the corner between the front plate and the right 
side. Three of the seals should be directly below the extending screws. The fourth seal 
should be near the top of the screws. 


« Apply one seal vertically, immediately to the left of the lower three seals previously 
mentioned. This seal should cover all three of the subplates and reach around to the 
bottom plate as well. 


- Apply one seal vertically, immediately to the left of RJ-45 jacks 16 and 17. Position the 
seal so that it sticks to the subplate the two RJ-45 jacks, to the subplate immediately 
below the jacks, and to the top plate as well. 


- Apply one seal vertically, to the right of and beneath (adjacent corner) RJ-45 jack 15. 
RJ45 jacks 15. Position the seal so that it sticks to the subplate containing jack 15, to 
the two subplates below the jack, and to the bottom plate as well. 


- Apply one seal horizontally, attached to the two subplates directly below the subplate 
containing RJ-45 jacks O-15. 


- Apply one seal vertically, attaching it below RJ-45 jacks O - 3. Position the seal between 
jacks 4 and 5. Make sure the seal sticks to the subplate for jacks O - 3, as well as to the 
two subplates below. 


Copyright © 2017, Juniper Networks, Inc. ai 


FIPS Evaluated Configuration Guide for SRX Series Security Devices 


« Apply one seal horizontally, touching corners with RJ-45 jack 1. Position the seal so 
that it sticks to the jack 1 subplate and to the subplate to the left. Be careful not to 
interfere with the jack below and to the left of the CONSOLE USB-MiniB receptacle. 


« Apply one seal horizontally, directly above the RJ-45 jack to the left of the CONSOLE 
USB-MiniB receptacle. Position the seal so that it sticks to the jack 1 subplate and to 
the subplate to the left. 


¢ Onthe right side of the module, apply four seals horizontally to the far-left side of the 
plate located on the right. 


« Apply one seal vertically on the far right side of the module. Position the seal so that 
it extends downward and sticks to the bottom plate. 


- Apply one seal vertically on the left side of the module. Position the seal in the middle, 
ensuring that it extends downward and sticks to the bottom plate. 


- Rear pane: 


- Apply two seals vertically, placing one on the subplate holding the power input and 
the other above the input. Each seal should extend to the vertically adjacent plate (so 
both seals touch both plates) and to the top (upper seal) and bottom (lower seal) 
plates. 


- Apply two seals vertically; placing one on the black subplate and the second on the 
small silver subplate. The second seal should extend to touch the black subplate as 
well. Both seals should touch either the black subplate or the silver subplate 


- Apply two seals vertically, on the far-right subplate. Position the seals so that one 
sticks to the top subplate and the other sticks to the bottom subplate. 


@ NOTE: The lOCs on the SRX550 device are considered non-security relevant 
and are excluded from the requirements of FIPS 140-2. They do not perform 
cryptography and a malfunction cannot cause other components to 
malfunction, disclose CSPs, or output plaintext data. 


SRX650 Device Tamper-Evident Seal Application 


The lIOCs on the SRX650 device are considered non-security relevant and are excluded 
from the requirements of FIPS 140-2. They do not perform cryptography, anda 
malfunction cannot cause other components to malfunction, disclose CSPs, or output 
plaintext data. 


On SRX650 devices, apply 19 tamper-evident seals at the following locations: 


- Front Pane: 


- Apply two seals vertically across the center part of each of the installed interface cards 
(or slot cover plates) numbered 1 through 4, extending to the top and bottom of the 
chassis of the module. 
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- Apply two seals vertically across the center part of each of the installed interface cards 
(or slot cover plates) numbered 5 through 8, extending to the top and bottom of the 
chassis of the module. 


- Apply one seal vertically, across the left edge of the slot covers marked 3 and 4, 
extending from the bottom of the chassis to the bottom of the slot cover marked 2. 


« Apply four seals horizontally, across the right edge of the slot covers marked 5 - 8, 
extending on to the right side of the chassis. 


- Apply two seals horizontally, across the right edge of the slot covers marked 1 and 2, 
extending to the left front face of the chassis. 





- Apply two seals, one on the left side of the module and one on the right side. Position 
the seals so that they extend from the side of the chassis to the bottom. 


« Back Pane: 


- Apply two seals vertically across the central part of each of the installed interface 
cards (or slot cover plates), extending to the top and bottom of the chassis of the 
module. 


- Apply two seals vertically across each of the installed power supplies or cover plates, 
extending to the top and bottom of the chassis of the module. 


- Apply two seals vertically across the air filter cover plate, extending to the top and 
bottom of the chassis of the module. 


SRX5400 Device Tamper-Evident Seal Application 


On SRX5400 devices, apply 13 tamper-evident seals at the following locations: 


« Front Pane: 


- Apply two seals vertically, connecting them to the topmost (non-honeycomb) subpane. 
Position the seals so that they extend to the thin pane below and the honeycomb panel 
above. 


- Apply one seal vertically across the thin pane, extending to the blank pane below and 
the subpane above. 


- Apply three seals vertically, one on each “long” horizontal subpane. Position each seal 
so that it attaches to the subpane above and the one below (or to the chassis, if it is 
bottommost subpane). Ensure that one of the seals extends to the left subpane below 
the thin subpane. 


« Back Pane: 


- Apply four seals vertically, one on each of the top four subpanes, extending to the large 
chassis plate below. 


« Apply one seal vertically on the horizontal screwed-in plate that rests on the large 
central chassis. Position the seal so that it extends to the chassis in both directions. 


- Apply two seals horizontally on the low side of the subpanes. Position the seals so that 
they extend to the large central chassis area and wrap around to the neighboring side 
panes. 
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SRX5600 Device Tamper-Evident Seal Application 


On SRX5600 devices, apply 17 tamper-evident seals at the following locations: 


« Front Pane: 


« Apply 11 seals vertically, one for each horizontal subpane (excluding the honeycomb 
plate on the top and the thin subpane below), one for the top (non-honeycomb) 
subpane, and one for the bottom. Position the seals so that they attach to vertically 
adjacent subpanes. Position the bottom seal so that it attaches to the lowermost 
subpane and wraps around, attaching to the bottom pane. Ensure that one of the seals 
spans across the thin plate with ample extra distance on each side. 


« Back Pane: 


- Apply four seals vertically, one on each of the top four subpanes, extending to the large 
chassis plate below. 


- Apply two seals horizontally, one on each of the vertical side subpanes, extending to 
both the large central plate and the side panes. 


SRX5800 Device Tamper-Evident Seal Application 
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On SRX5800 devices, apply 24 tamper-evident seals at the following locations: 


« Front Pane: 


- Apply two seals vertically, connected to the topmost (non-honeycomb) subpane. 
Position the seals so that they extend to the thin pane below and the honeycomb panel 
above. 


- Apply one seal vertically, across the thin pane. Position the seal so that it extends to 
the blank pane below and the subpane above. 


- Apply three seals vertically, one on each long horizontal subpane. Position each seal 
so that it attaches to the subpane above and the one below (or to the chassis, if it is 
the bottommost subpane). Ensure that one of the seals extends to the left subpane 
below the thin subpane. 


« Back Pane: 


- Apply four seals vertically, one on each of the top four subpanes, extending to the large 
chassis plate below. 


- Apply one seal vertically on the horizontal screwed-in plate that rests on the large 
central chassis. Position the seal so that it extends to the chassis in both directions. 


- Apply two seals horizontally. Position them on the low side subpanes, extending to 
the large central chassis area and wrapping around to the neighboring side panes. 


e Howto Enable and Configure Junos OS in FIPS Approved Mode of Operation—Overview 
on page 43 
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Configuring Roles and Authentication 
Methods 


« Understanding Roles and Services for Junos OS in FIPS-Approved Mode of 
Operation on page 31 


« Understanding the Associated Password Rules for an Authorized 
Administrator on page 33 


e« Understanding FIPS Authentication Methods on page 35 
e« Understanding Services for Junos OS in FIPS-Approved Mode of Operation on page 36 


Understanding Roles and Services for Junos OS in FIPS-Approved Mode of Operation 


The Juniper Networks Junos operating system (Junos OS) running in non-FIPS-approved 
mode of operation allows a wide range of capabilities for Users, and authentication is 
identity-based. In contrast, the FIPS 140-2 standard defines two user roles: Cryptographic 
Officer and FIPS user. These roles are defined in terms of Junos OS user capabilities. 


All other user types defined for Junos OS in FIPS-approved mode of operation (operator, 
administrative user, and so on) must fall into one of the two categories: Cryptographic 
Officer or FIPS user. For this reason, user authentication in FIPS-approved mode of 
operation is role-based rather than identity-based. 


In addition to their FIPS roles, both user types can perform normal configuration tasks 
on the device as individual user configuration allows. 


Cryptographic Officers and FIPS users perform all FIPS-related configuration tasks and 
issue all statements and commands for Junos OS in FIPS-approved mode of operation. 
Cryptographic Officer and FIPS user configurations must follow the guidelines for Junos 
OS in FIPS-approved mode of operation. 


For details, see: 


e Cryptographic Officer Role and Responsibilities on page 32 
« FIPS User Role and Responsibilities on page 32 
« What Is Expected of All FIPS Users on page 33 
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Cryptographic Officer Role and Responsibilities 


The Cryptographic Officer is the person responsible for enabling, configuring, monitoring, 
and maintaining Junos OS in FIPS-approved mode of operation on a device. The 
Cryptographic Officer securely installs Junos OS on the device, enables FIPS-approved 
mode of operation, establishes keys and passwords for other users and software modules, 
and initializes the device before network connection. The Cryptographic Officer can 
configure and monitor the module through a console or SSH connection. 


Oo BEST PRACTICE: We recommend that the Cryptographic Officer administer 
the system in a secure manner by keeping passwords secure and checking 
audit files. 


The permissions that distinguish the Cryptographic Officer from other FIPS users are 
secret, security, maintenance, and control. For FIPS compliance, assign the Cryptographic 
Officer to a login class that contains all of these permissions. A user with the Junos OS 
maintenance permission can read files containing critical security parameters (CSPs). 


@ NOTE: Junos OS in FIPS-approved mode of operation does not support the 
FIPS 140-2 maintenance role, which is different from the Junos OS 
maintenance permission. 


Among the tasks related to Junos OS in FIPS-approved mode of operation, the 
Cryptographic Officer is expected to: 


¢ Set the initial root password. 

- Reset user passwords for FIPS-approved algorithms during upgrades from Junos OS. 
« Set Up manual IPsec SAs for configuration with dual Routing Engines. 

- Examine log and audit files for events of interest. 


- Erase user-generated files and data on (zeroize) the device. 


FIPS User Role and Responsibilities 


32 


All FIPS users, including the Cryptographic Officer, can view the configuration. Only the 
user assigned as the Cryptographic Officer can modify the configuration. 


The permissions that distinguish Cryptographic Officers from other FIPS users are secret, 
security, maintenance, and control. For FIPS compliance, assign the FIPS user to a class 
that contains none of these permissions. 


FIPS users configure networking features on the device and perform other tasks that are 
not specific to FIPS-approved mode of operation. FIPS users who are not Cryptographic 
Officers can perform reboots and view status output. 
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What Is Expected of All FIPS Users 


Related 
Documentation 


All FIPS users, including the Cryptographic Officer, must observe security guidelines at 
all times. 


All FIPS users must: 


- Keep all passwords confidential. 

« Store devices and documentation in a secure area. 
- Deploy devices in secure areas. 

« Check audit files periodically. 

¢ Conform to all other FIPS 140-2 security rules. 


- Follow these guidelines: 


- Users are trusted. 
« Users abide by all security guidelines. 
e Users do not deliberately compromise security. 


« Users behave responsibly at all times. 


e« Understanding Zeroization to Clear System Data for FIPS Approved Mode of Operation 
on page 19 


« Understanding FIPS Approved Mode of Operation Terminology and Supported 
Cryptographic Algorithms on page 16 


Understanding the Associated Password Rules for an Authorized Administrator 


The authorized administrator is associated with a defined login class, and the 
administrator is assigned with all permissions. Data is stored locally for fixed password 
authentication. 


@ NOTE: We recommend that you not use control characters in passwords. 
Use the following guidelines and configuration options for passwords and when selecting 
passwords for authorized administrator accounts. Passwords should be: 

- Easy to remember so that users are not tempted to write it down. 

+ Changed periodically. 

- Private and not shared with anyone. 

« Contain a minimum of 10 characters. The maximum password length is 10 characters. 


[ edit ] 
administrator@host# set system login password minimum-length 10 
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Related 
Documentation 
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« Include both alphanumeric and punctuation characters, composed of any combination 
of upper and lowercase letters, numbers, and special characters such as, “!”,“@”, “#”, 
“HP KH" A" HB” “Cand “)”. There should be at least a change in one case, one or 


more digits, and one or more punctuation marks. 


¢ Contain character sets. Valid character sets include Uppercase letters, lowercase 
letters, numbers, punctuation, and other special characters. 


[ edit ] 
administrator@host# set system login password change-type character-sets 


« Contain the minimum number of character sets or character set changes. The minimum 
number of character sets required in plain-text passwords in Junos FIPS is 2. 


[ edit ] 
administrator@host# set system login password minimum-changes 2 


@ NOTE: The authentication algorithm for plain-text passwords must be 
configured as shal. 


[ edit ] 
administrator@host# set system login password format shal 


Weak passwords are: 


- Words that might be found in or exist as a permuted form in a system file such as 
/etc/passwd. 


- The hostname of the system (always a first gUess). 


- Any words appearing in a dictionary. This includes dictionaries other than English, and 
words found in works such as Shakespeare, Lewis Carroll, Roget's Thesaurus, and so 
on. This prohibition includes common words and phrases from sports, sayings, movies, 
and television shows. 


- Permutations on any of the above. For example, a dictionary word with vowels replaced 
with digits (for example fOOt) or with digits added to the end. 


« Any machine-generated passwords. Algorithms reduce the search space of 
password-guessing programs and so should not be used. 


Strong reusable passwords can be based on letters from a favorite phrase or word, and 
then concatenated with other, unrelated words, along with additional digits and 
punctuation. 


@ NOTE: Passwords should be changed periodically. 


« Identifying Secure Product Delivery 
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Understanding FIPS Authentication Methods 


The Juniper Networks Junos operating system (Junos OS) running in FIPS-approved 
mode of operation allows a wide range of capabilities for Users, and authentication is 
identity-based. The following types of identity-based authentication are supported in 
the FIPS-approved mode of operation: 


« Username and Password Authentication over the Console and SSH on page 35 


e« Username and Public Key Authentication over SSH on page 35 


Username and Password Authentication over the Console and SSH 


In this authentication method, the user is requested to enter the username and password. 
The device enforces the user to enter a minimum of 10-characters password that is 
chosen from the 96 human-readable ASCII characters. 


@ NOTE: The maximum password length is 20 characters. 


In this method, the device enforces a timed access mechanism—for example, first two 
failed attempts to enter the correct password (assuming O time to process), no timed 
access is enforced. When the user enters the password for the third time, the module 
enforces a 5-second delay. Each failed attempt thereafter results in an additional 
5-second delay above the previous failed attempt. For example, if the fourth failed 
attempt is a 10-second delay, then the fifth failed attempt is a 15-second delay, the sixth 
failed attempt is a 20-second delay, and the seventh failed attempt is a 25-second delay. 


Therefore, this leads to a maximum of seven possible attempts in a 1-minute period for 
each getty active terminal. So, the best approach for the attacker would be to disconnect 
after 4 failed attempts, and wait for a new getty to be spawned. This would allow the 
attacker to perform roughly 9.6 attempts per minute (576 attempts per hour or 60 
minutes). This would be rounded off to 9 attempts per minute, because there is no such 
thing as 0.6 attempts. Thus the probability of a successful random attempt is 1/9610, 
which is less than 1/1 million. The probability of a success with multiple consecutive 
attempts in a 1-minute period is 9/(9610), which is less than 1/100,000. 


Username and Public Key Authentication over SSH 


In this authentication method, the user is requested to enter the Username and SSH 
public-key authentication. The device supports ECDSA (P-256 and P-384) key-type. 
The probability of a success with multiple consecutive attempts in a 1-minute period is 
5.6e7/(2128). 
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@® NOTE: When you run the set system login user <username> authentication 
ssh-ecdsa key command on the device only ecdsa-sha2-nistp256 and 

ecdsa-sha2-nistp384 key-types are accepted. The ecdsa-sha2-nistp521 
key-type is no longer supported on the FIPS-approved mode. If you try to 
configure ecdsa-sha2-nistp521 key-type on the device then the following error 
message is displayed ecdsa-sha2-nistp521 is not permitted in FIPS mode is 
displayed. The use of the ecdsa-sha2-nistp521 key exchange method for SSH 
is also disabled in the FIPS-approved mode. 


Related + Configuring SSH on the Evaluated Configuration on page 40 
Documentation 


Understanding Services for Junos OS in FIPS-Approved Mode of Operation 


All services implemented by the module are listed in the tables that follow. 


Understanding Authenticated Services 


Table 3 on page 36 lists the authenticated services on the device running Junos OS. 


Table 3: Authenticated services 




















Cryptographic | User User 
Authenticated Services Description Officer ((x=teto Ere) al iva mim @al=yan'(o) 9,0) 
Configure security Security relevant configuration x - - 
Configure Non-security relevant configuration x - - 
Secure traffic IPsec protected routing - - x 
Status Display the status x x - 
Zeroize Destroy all critical security parameters (CSPs) x - - 
SSH connect Initiate SSH connection for SSH monitoring x x - 


and control (CLI) 











IPsec connect Initiate [Psec connection (IKE) x - x 
Console access Console monitoring and control (CLI) x x - 
Remote reset Software-initiated reset x = - 





Table 4: Unauthenticated traffic 


Service Description 


Local reset Hardware reset or power cycle 
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Table 4: Unauthenticated traffic (continued) 


Service Description 


Traffic Traffic requiring no cryptographic services 





Critical Security Parameters 


Critical security parameters (CSPs) are security-related information such as cryptographic 
keys and passwords that can compromise the security of the cryptographic module or 
the security of the information protected by the module if they are disclosed or modified. 


Zeroization of the system erases all traces of CSPs in preparation for operating the device 
as acryptographic module. 


Table 5 on page 37 lists the CSP access rights within services. 


Table 5: CSP Access Rights Within Services 





DRGB Seed | DRGB_State | SSHPHK | SSHDH SSH-SEK | ESP-SEK 
= E GW . = = 


Configure - - - - - - 


Configure security 








Secure Traffic - - - - - E 





Status = = = = = = 





Zeroize - - Z - - - 





SSH connect - E E G,E Ge - 





IPSec connect - E = = = G 





Console access - - = = = - 











Remote reset G,E G - Z Zz Zz 
Local Reset Gre G - if Z Zz 
Traffic - - - - - - 





IKE-PSK IKE-Priv IKE-SKEY1 IKE-SKE IKE-DH-PRI 
Ww G, W - - - 


Configure security 
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Configure - = S = = 
Secure Traffic = = - E - 
Status - - = = = 
Zeroize Z Z - = = 
SSH connect - - = = = 
IPSec connect E E = G G 
Console access - - = = pes 
Remote reset a - Z Z Z 
Local Reset = = ZZ Za Zz 
Traffic = = - - - 

Here: 

- G= Generate: The device generates the CSP. 

- E= Execute: The device runs using the CSP. 

- W=Write: The CSP is updated or written to the device. 

« Z = Zeroize: The device zeroizes the CSP. 

Related «- Understanding Zeroization to Clear System Data for FIPS Approved Mode of Operation 
Documentation on page 19 


« Understanding FIPS Authentication Methods on page 35 
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CHAPTER 3 


Contiguring SSH and Console Connection 


« Configuring a System Login Message and Announcement on page 39 
e Limiting the Number of User Login Attempts for SSH Sessions on page 40 
¢« Configuring SSH on the Evaluated Configuration on page 40 


Configuring a System Login Message and Announcement 


Asystem login message appears before the user logs in and asystem login announcement 
appears after the user logs in. By default, no login message or announcement is displayed 
on the device. 


To configure a system login message, use the following command: 


[edit] 
user@host# set system login message login-message-banner-text 


To configure system announcement, use the following command: 


[edit] 
user@host# set system login announcement system-announcement-text 


@ NOTE: 
- If the message text contains any spaces, enclose it in quotation marks. 
- You can format the message using the following special characters: 
« \n—New line 
« \t—Horizontal tab 
« \'—Single quotation mark 
« \"—Double quotation mark 
« \\—Backslash 


Related . Configuring SSH on the Evaluated Configuration on page 40 
Documentation 
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Limiting the Number of User Login Attempts for SSH Sessions 


Related 
Documentation 


A remote administrator may login to a device through SSH. Administrator credentials 
are stored locally on the device. If the remote administrator presents a valid username 
and password, access to the TOE is granted. If the credentials are invalid, the TOE allows 
the authentication to be retried after an interval that starts after 1 second and increases 
exponentially. If the number of authentication attempts exceed the configured maximum, 
no authentication attempts are accepted for a configured time interval. When the interval 
expires, authentication attempts are again accepted. 


You can configure the device to limit the number of attempts to enter a password while 
logging through SSH. Using the following command, the connection can terminated if a 
user fails to login after a specified number of attempts: 


[edit system login] 
user@host# set retry options tries-before-disconnect <number> 


Here, tries-before-disconnect is the number of times a user can attempt to enter a 
password when logging in. The connection closes if a user fails to log in after the number 
specified. The range is from 1 through 10, and the default value is 10. 


You can also configure a delay, in seconds, before a user can try to enter a password 
after a failed attempt. 


[edit system login] 
user@host# set retry options backoff-threshold <number> 


Here, backoff-threshold is the threshold for the number of failed login attempts before 
the user experiences a delay in being able to enter a password again. Use the 
backoff-factor option to specify the length of the delay in seconds. The range is from 1 
through 3, and the default value is 2 seconds. 


In addition, the device can be configured to specify the threshold for the number of failed 
attempts before the user experiences a delay in entering the password again. 


[edit system login] 
user@host# set retry options backoff-factor <number> 


Here, backoff-factor is the length of time, in seconds, before a user can attempt to log in 
after a failed attempt. The delay increases by the value specified for each subsequent 
attempt after the threshold. The range is from 5 through 10, and the default value is 5 
seconds. 


e Configuring SSH on the Evaluated Configuration on page 40 


Configuring SSH on the Evaluated Configuration 


40 


SSH is the only remote management interface allowed in the evaluated configuration. 
This topic describes how to configure SSH on the device. 
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Chapter 3: Configuring SSH and Console Connection 


Before you begin, log in with your root account on the device running Junos OS Release 
12.3X48-D30 and edit the configuration. 


@ NOTE: You can enter the configuration commands in any order and commit 
all the commands at once. 


To configure SSH on the TOE: 


1. Specify the permissible SSH host-key algorithms for the system services. 


[edit system services] 
root@host# set ssh hostkey-algorithm ssh-rsa 


2. Specify the SSH key-exchange for Diffie-Hellman keys for the system services. 


[edit system services] 
root@host#set ssh key-exchange dh-group14-shal 


3. Specify all the permissible message authentication code algorithms for SSHv2. 


[edit system services] 
root@host#set ssh macs hmac-shal 


4. Specify the ciphers allowed for protocol version 2. 


[edit system services] 
root@host#set ssh ciphers aes128-cbc aes256-cbc 


« Limiting the Number of User Login Attempts for SSH Sessions on page 40 
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CHAPTER 4 


Configuring Junos OS in FIPS Mode of 
Operation 


« Loading Firmware on the Device on page 43 


« Howto Enable and Configure Junos OS in FIPS-Approved Mode of Operation on page 43 


Loading Firmware on the Device 


The Junos OS 12.3X48-D30 FIPS images only accept the firmware signed with ECDSA 
and rejects any firmware signed with RSA+SHAI. You cannot downgrade to images that 
are signed with RSA+SHAI from "ECDSA signed only” images. In this scenario, the SRX 
Series device does not load the firmware. 


Related + HowtoEnable and Configure Junos OS in FIPS Approved Mode of Operation—Overview 
Documentation on page 43 


How to Enable and Configure Junos OS in FIPS-Approved Mode of Operation 


You, as Cryptographic Officer, can enable and configure Junos OS in FIPS-approved 
mode of operation on your device. Before you begin enabling and configuring 
FIPS-approved mode of operation on the device: 


- Verify the secure delivery of your device. See “Identifying Secure Delivery” on page 15. 


« Apply tamper-evident seals. See “Applying Tamper-Evident Seals to the Cryptographic 
Module” on page 25. 


To enable the Junos OS in FIPS-approved mode of operation, perform the following 
steps: 


1. Install the Junos OS Release 12.3X48-D30 image, if you have not already done so. 
user@host> request system software add no-copy reboot <firmware-name> 


2. Runintegrity and self-tests on powering on the device when the module is operating 
in the FIPS-approved mode. 


Copyright © 2017, Juniper Networks, Inc. 43 


FIPS Evaluated Configuration Guide for SRX Series Security Devices 


© 


NOTE: Ifthe module was previously ina non-approved mode of operation, 
the Cryptographic Officer must zeroize the critical security parameters 
(CSPs) by following the instructions in “Understanding Zeroization to 
Clear System Data for FIPS Approved Mode of Operation” on page 19. 


3. Ensure that the backup image of the firmware is also a JUNOS-FIPS image by issuing 
the request system snapshot command. 


To configure the Junos OS in FIPS-approved mode of operation, perform the following 
steps: 


1. 
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Configure SSH to use FIPS-approved and FIPS allowed algorithms, using the following 
commands: 


user@host# set system services ssh hostkey-algorithm ssh-ecdsa 
user@host# set system services ssh hostkey-algorithm no-ssh-rsa 
user@host# set system services ssh hostkey-algorithm no-ssh-dss 
user@host# set system services ssh hostkey-algorithm no-ssh-ed25519 
user@Ghost# commit 


i 


i 


NOTE: The cryptographic module always enables the following algorithms 
for SSH: dh-group14-shal, ecdh-sha2-nistp256, ecdh-sha2-nistp384, 
group-exchange-shal, group-exchange-sha2, hmac-shal, hmac-shal-96, 
and 3des-cbc, aes128-cbc, aes128-ctr, aes]92-cbc, aes192-ctr, aes256-cbc, 
aes256-ctr. 


NOTE: When you run the command request security pki generate-keypair 
typersa size 2048 certificate-id the following message appears Generating 
a key-pair with a large modulus is very time-consuming. Progress is 
reported to the trace log, and a log message is generated upon 
completion. 


algorithms using the following commands: 


user@host# set system services ssh key-exchange <algorithm> 
<algorithm> - dh-group14-shal, ecdh-sha2-nistp256, ecdh-sha2-nistp384, 
group-exchange-shal, or group-exchange-sha2 


user@host# set system services ssh ciphers <alogrithm> 
<algorithm> - 3des-cbc, aesl128-cbc, aes128-ctr, aes192-cbc, aes192-ctr, 
aes256-cbc, aes256-ctr 


i 


NOTE: These algorithms are always proposed during SSH session 
negotiation. Explicitly specifying an algorithm moves the algorithm up in 
the list of proposed algorithms during the SSH session establishment. 
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3. The Cryptographic Officer can change the preference of SSH MAC algorithms or enable 
additional approved algorithms using the following command: 


userGhost# set system services ssh macs <algorithm> 


<algorithm> - hmac-shal, hmac-shal-96, hmac-sha2-256, hmac-sha2-512, 
hmac-shal1-96-etm@openssh.com, hmac-shal-etm@openssh.com, 
hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.comuserGhost# set 
system services ssh ciphers <alogrithm> 


@ NOTE: hmac-shal and hmac-shal-96 are always proposed during SSH 
session negotiation. Explicitly specifying either algorithm moves it up in 
the list of proposed algorithms during the SSH session establishment. 
Specifying any other MAC algorithm adds it to the list of algorithms 
proposed. 


4. For each IPsec tunnel configured, you must run the following command to configure 
the algorithms: 


userGhost# set system security ipsec <name> authentication-algorithm <algorithm> 
<algorithm> - hmac-sha-256-128, hmac-shal-96 
user@host# set system security ipsec <name> encryption-algorithm <algorithm> 


<algorithm> - 3des-cbc, aes-128-cbc, aes-128-gcm, aes-192-cbc, aes-192-gcm, 
aes-256-cbc, aes-256-gcm 


@ NOTE: Use of AES-GCM is only FIPS-approved when it is configured for 
use in conjunction with IKEv2. 


@ NOTE: Run the show version command to check if the module is operating 
in FIPS-approved mode of operation. For example, run show system services 
ssh and show security ipsec to verify that only the FIPS-approved and 
FIPS-allowed algorithms are configured for SSH and IPsec as specified earlier 
in this section. 


Related ~- Loading Firmware on the Device on page 43 
Documentation 
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CHAPTER 5 


JuNos-FIPS Configuration Restrictions 


« Unsupported Junos-FIPS Configuration Statements on page 47 


e« Unsupported Junos-FIPS Operational Commands on page 48 


Unsupported Junos-FIPS Configuration Statements 


The following configuration statements are not supported on Junos-FIPS: 





Statement |DY=s={etg |e) de) a) 


set system services { ftp | finger | telnet | 
web-management | xnm-clear-text | tftp} 


Junos-FIPS does not allow an unencrypted or weakly encrypted or a 
connection that relies on a vulnerable key establishment protocol. 





set system services ssh protocol-version 


Junos-FIPS allows the SSHv2 setting only. 





set system login password format { des | md5 } 


You must encrypt administrator passwords using strong algorithms, 
such as Secure Hash Algorithm (SHA-1). 





set system ike policy policy name proposal-set 


Junos-FIPS does not support preconfigured proposal sets. You must 
configure an IKE proposal explicitly. 





set system ike proposal proposal name 
authentication-algorithm md5 


set system ipsec proposal proposal name 
authentication-algorithm hmac-md5-96 


Junos-FIPS does not support Message Digest 5 (MD5). However it 
does support SHA-] and SHA-2. 





set system ike proposal proposal name 
encryption-algorithm des-cbc 


set system ipsec proposal proposal name 
encryption-algorithm des-cbc 


Junos-FIPS does not support Data Encryption Standard (DES). 
However it does support Advanced Encryption Standard (AES) or 
3DES. 





set system ike proposal proposal name protocol ah 


Authentication Header (AH) protocol provides authentication but not 
encryption. Enhanced Security Protocol (ESP) is required. 





set system ike proposal proposal name dh-group {group] 
| group2} 


Junos-FIPs does not support Diffie-Hellman (DH) groups 1 and 2. 
However DH-group 5 and higher are supported on Junos-FIPS. 
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Related . Unsupported Junos-FIPS Operational Commands 
Documentation 


Unsupported Junos-FIPS Operational Commands 


The following operating commands are not supported on Junos-FIPS: 


[@foyanlant=tale! Description 








request system software reboot at time in You must load the firmware image directly from the internal flash memory. 
minutes usb Junos-FIPS does not support loading from an external source. 

set wlan Junos-FIPS does not support wireless configuration. 

request system software rollback You must upload a new version of the firmware explicitly. Junos-FIPS does not 


support the rollback to a previously saved version. 





request security pki ca-certificate enroll You must enroll the certificate authority enrollment manually. Simple Certificate 
Enrollment Protocol (SCEP) is disabled. 





Related . Unsupported Junos-FIPS Configuration Statements 
Documentation 
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